3.3.5.20.3 Handling SMB2_0_INFO_SECURITY
This section assumes knowledge about security concepts, as described in [MS-WPO] section 9 and specified in [MS-DTYP].
The server MUST ignore any flag value in the AdditionalInformation field that is not specified in section 2.2.37.
The server SHOULD<411> call into the underlying object store to query the security descriptor for the object.
The fields required in the resulting security descriptor are denoted by the flags given in the AdditionalInformation field of the request.
If the OutputBufferLength given in the client request is either zero or is insufficient to hold the information requested, the server MUST fail the request with STATUS_BUFFER_TOO_SMALL. If Connection.Dialect is "3.1.1", the server MUST return error data containing the buffer size, in bytes, that would be required to return the requested information, as specified in section 2.2.2, with ByteCount set to 12, ErrorContextCount set to 1, and ErrorData set to SMB2 ERROR Context response with ErrorDataLength set to 4, ErrorId set to 0, and ErrorContextData is set to the buffer size, in bytes, indicating the minimum required buffer length; otherwise, the server MUST return error data with ByteCount set to 4 and ErrorData set to a 4-byte value indicating the minimum required buffer length. The server MUST NOT return STATUS_BUFFER_OVERFLOW with an incomplete security descriptor to the client as in the previous cases. If the underlying object store returns an error, the server MUST fail the request with the error code received.
If the underlying object store returns the information successfully, the server MUST construct an SMB2 QUERY_INFO Response with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header to the attribute data at Buffer[].
OutputBufferLength MUST be set to the length of the attribute data being returned to the client.
The security descriptor MUST be placed in the response in Buffer[].
The response MUST then be sent to the client.